FCC closes virus upload loophole on its website

Image caption
The FCC is taking steps to improve the security of its website after internet users spotted a serious vulnerability

The Federal Communications Commission (FCC) has taken steps to secure its website after users discovered they could upload malware to it.

On Thursday, security researchers discovered a function connected to the US government agency website’s comment system that let them upload files.

The site allowed anyone to sign up to obtain a software key that let them upload the files they wanted.

The FCC said there was no evidence malware had actually been uploaded.

“The FCC comment system is designed to maximise inclusiveness and part of that system allows anyone to upload a document as a public comment, which is what happened in this case,” the FCC told the BBC.

“The Commission has had procedures in place to prevent malware from being uploaded to the comment system. And the FCC is running additional scans and taking additional steps with its cloud partners to make sure no known malware has been uploaded to the comment system.”

At the time of writing it is no longer possible to upload files in this manner, the communications watchdog said.

In plain sight

The bug emerged in what is known as application programming interface (API) available via the FCC site.

APIs are a well established technology and let developers interact via the web with the data that organisations hold and the services they offer.

While the comment system was easy for members of the public to use and upload files to when making complaints to the watchdog, the API was not meant to be publicly accessible.

However, anyone who knew where to find the API on the FCC’s website could request access to it. Documentation explaining how to upload documents was also publicly available on the site.

Security researchers experimented with the API, filling in forms to request access to keys that let them use it via email.

When they received the key, the users were surprised to find that they were able to upload any file type they liked to the website, whether the files were documents, music files or executable code.

The programmers claimed they were able to upload files as big as 25MB in size, Guise Bule, the editor of Contratastic magazine wrote on website Medium.